Additional Security Measures for *nix

Printable View

May 12th, 2003, 06:32 PM
thehorse13

Additional Security Measures for *nix

Many posts here go into great detail about which services to lock down on *nix servers and which versions of security toolz to run such as tripwire and such. One area that seems to get neglect is SUID files, GUID files and world-writable files.

Whenever I am asked to prepare a *nix server, I *always* issue these commands to check and see which files are SUID,GUID and world-writable.

* For SUID:
==============================

find / -type f -perm -4000 -ls

** For GUID
==============================
find / type f -perm -2000 -ls

For World-Writable
==============================
find / -perm -2 -type f -print

You may ask, well, what is the significance of this? It's simple. If I'm looking to comprimise your server and I have exausted all the typical easy avenues, I will eventually begin looking for world writable filez in order to gain root access. In addition, I will certainly look for SUID files that programs use on your machine. Pay close attention to the /dev partition too as it is *very* dangerous to have devices that are world-writable.

Once you lock down file permissions, services and have applied the proper security patches, you shold have a solid *nix system. At this point I usually hammer against the box to be sure that I haven't missed anything. Only after this point, will I install the necessary software and then hammer on it one more time before approving it for internet exposure.

Anyway, just wanted to share a little *nix tip with the AO community.

* Fat finger typo pointed out by Itch
** Fat finger typo pointed out by Itch
--TH13
May 12th, 2003, 06:39 PM
tampabay420

hey, thanx thehorse13, always looking for cool *nix tips...
i'm starting up a BSD Server, and will def. follow your lead :D
May 12th, 2003, 07:06 PM
IchNiSan

hmmmmm... a few corrections.
On my redhat linux boxes anyway...

to find SUID you need to change the line
find / -type f -perm -0400 -ls
to
find / -type f -perm -4000 -ls

for SGID you need to change
find / -type f -perm -0200 -ls
to
find / -type f -perm -2000 -ls

The world writeable seems to be ok though. It is in fact returning world writable files

Good luck,

IchNiSan
May 12th, 2003, 07:12 PM
thehorse13

Ah yes itch, it seems that my extra fat fingers did it again!!! I have gone back and adjusted the syntax giving you credit for the bust! ;)

Thanks!
May 12th, 2003, 07:25 PM
phishphreek

Sweet. Thanks for the tip! I just rebuilt my server at home and I can use this.

I didn't see it mentioned in the many guides that I have read nor did it come up in any of the utilities that I used to check the security.
I'll have to doublecheck.

I used a tool called Tiger and it turned up all kinds of recommendations. Its called Tiger

Quote:

TIGER is a set of Bourne shell scripts, C programs, and data files which are used to perform a security audit of Unix systems. The security audit results are useful both for system analysis (security auditing) and for real-time, host-based intrusion detection.

http://savannah.nongnu.org/projects/tiger

They actaully just released a new version of it a couple days ago.

It alerted me to a bunch of things that I hadn't thought about... but this is my first try at securing a *nix box.
I'm learning so much that I think I need to go home for the day cause my brain is full....

Anywho, has anyone used it? What do you think?
May 12th, 2003, 07:28 PM
thehorse13

Phish buddy,

Another good site is http://www.bastille-linux.org

This is taken directly from the site:

The Bastille Hardening System attempts to "harden" or "tighten" Unix operating systems. It currently supports the Red Hat, Debian, Mandrake, SuSE and TurboLinux Linux distributions along with HP-UX and Mac OS X. We attempt to provide the most secure, yet usable, system possible. The project is run by Jon Lasser, Lead Coordinator and Jay Beale, Lead Developer, and involves a number of developers, beta-testers and concept-creators. Bastille Linux was developed with several major goals:

COMPREHENSIVENESS
Bastille Linux draws from every available major reputable source on Linux Security. The initial development integrated Jay Beale's existing O/S hardening experience for Solaris and Linux with most major points from the SANS' Securing Linux Step by Step, Kurt Seifried's Linux Administrator's Security Guide, and countless other sources.

INSTRUCTIVENESS
Bastille Linux has been designed to educate the installing administrator about the security issues involved in each of the script's tasks, thereby securing both the box and the administrator. Each step is optional and contains a description of the security issues involved.
May 12th, 2003, 07:47 PM
IchNiSan

Thanks for the bastille-linux link thehorse13.

I have heard about it before, but never took the time to look it up.

Thanks for the other info about suid/sgid stuff, its nice to get some info here that lots of people can use to help make their systems more secure.

One quick note to people though about suid and sgid. Don't just willy nilly go removing the sgid or suid setting from these files. Some of them will certainly be fine if you remove the suid or sgid bit from them, but others(like /usr/bin/passwd) need to be suid in order for regular users to perform nescessary functions, like changing their password, as passwd needs to be able to write to /etc/passwd(and also call the shadow utils to edit /etc/shadow and really change your password on systems using shadow passwords, which are hopefully most of them) which is writeable only by root.

Here is a list of SUID files from a default redhat linux 7.3 install.

344699 40 -rwsr-xr-x 1 root root 37624 Feb 12 17:47 /usr/bin/chage
343445 36 -rwsr-xr-x 1 root root 34972 Feb 12 17:48 /usr/bin/gpasswd
343616 20 -rws--x--x 1 root root 16835 Aug 30 2002 /usr/bin/chfn
343617 16 -rws--x--x 1 root root 15664 Aug 30 2002 /usr/bin/chsh
343635 8 -rws--x--x 1 root root 6999 Aug 30 2002 /usr/bin/newgrp
343657 40 -rwsr-xr-x 1 root root 37140 Jul 24 2002 /usr/bin/at
343863 16 -r-s--x--x 1 root root 15368 May 28 2002 /usr/bin/passwd
343933 20 -rwsr-xr-x 1 root root 19131 Jun 23 2002 /usr/bin/rcp
343935 16 -rwsr-xr-x 1 root root 15376 Jun 23 2002 /usr/bin/rlogin
343936 12 -rwsr-xr-x 1 root root 10689 Jun 23 2002 /usr/bin/rsh
343955 88 ---s--x--x 1 root root 84984 Jun 27 2002 /usr/bin/sudo
343974 36 -rwsr-xr-x 1 root root 34662 Jul 19 2002 /usr/bin/crontab
376099 8 -rwsr-xr-x 1 root root 5100 Sep 5 2002 /usr/libexec/pt_chown
180057 164 -rws--x--x 1 root root 162476 Aug 14 2002 /usr/libexec/openssh/ssh-keysign
392470 36 -rwsr-xr-x 1 root root 33071 Jun 23 2002 /usr/sbin/ping6
392474 16 -rwsr-xr-x 1 root root 13718 Jun 23 2002 /usr/sbin/traceroute6
392511 16 -rwsr-xr-x 1 root root 15502 Sep 4 2002 /usr/sbin/usernetctl
392528 32 -rws--x--x 1 root root 29676 Sep 4 2002 /usr/sbin/userhelper
392580 12 -rwsr-xr-x 1 root root 10205 Jul 1 2002 /usr/sbin/userisdnctl
392646 32 -rwsr-xr-x 1 root root 32076 Jun 23 2002 /usr/sbin/traceroute
392891 20 -r-s--x--- 1 root apache 20469 Oct 9 2002 /usr/sbin/suexec
771123 1844 -rws--x--x 1 root root 1884018 Sep 5 2002 /usr/X11R6/bin/XFree86
1095603 36 -rwsr-xr-x 1 root root 35302 Jun 23 2002 /bin/ping
1095643 88 -rwsr-xr-x 1 root root 81996 Aug 30 2002 /bin/mount
1095644 40 -rwsr-xr-x 1 root root 40700 Aug 30 2002 /bin/umount
1095654 20 -rwsr-xr-x 1 root root 19132 Aug 29 2002 /bin/su
654474 8 -r-s--x--x 1 root root 7096 Feb 6 21:15 /sbin/pam_timestamp_check
655431 124 -r-sr-xr-x 1 root root 119400 Feb 6 21:15 /sbin/pwdb_chkpwd
654476 20 -r-sr-xr-x 1 root root 17080 Feb 6 21:15 /sbin/unix_chkpwd

Many of these should be able to have their suid bit removed and have very little effect on the box, but some, like passwd must have suid as root in order for regular users to change their password on a multi-user box. If you are the only user, sure, you could remove that suid(I dont think it would break anything else) and just change your own account password while logged in as root. Also, you might not want to remove the suid from su or sudo. Things like traceroute should be fine to remove it, but some of them might cause you unforseen dificulties.

My only point is MAKE SURE YOU HAVE A CLUE what the file you are removing suid or sgid from does and have some inkling how it will affect your system before removing suid or sgid.

Thanks again for the info thehorse13
May 12th, 2003, 07:53 PM
doc crontab

"Once you lock down file permissions, services and have applied
the proper security patches, you shold have a solid *nix system"

;) Get Lids to lock down the system that is if you want to keep
the bads guy out.

http://www.lids.org/about.html

Doc
May 12th, 2003, 08:29 PM
IchNiSan

um, also, you do know that the bastille has been stormed before right?

http://utut.essortment.com/thestormingof_rksu.htm

hehe 8)
May 12th, 2003, 08:42 PM
thehorse13

Itch,

Indeed I do know that it has been stormed. Actually, world history is another one of my interests. :)

Also, good follow up to my post. When I pop this info up on AO, I assume that the reader has the appropriate knowledge needed to utilize the info. I have faith in most people here :)
May 12th, 2003, 10:15 PM
catch

LIDS is a good extension beyond the normal Linux security. MAC is the bare minimum required for any system to even be considered secure in my opinion. LIDS adds many other neat functionality/architectural changes to Linux as well. Though the purist will note that a LIDS enabled system is no longer Linux or even UN*X-like. (as it is no longer a single level system)

Although I like LIDS and strongly believe it is a step in the right direction... I don't think it is appropriate to use in a live non-dev/research environment. The LIDS development model is too immature for my liking and it's MAC structure too closely based on the original Bell-LaPadula model which has a lot of issues. I think the DBAC based Pitbull LX or the Flask based SE Linux as a distant second would be better choices... the jury is still out on HP's Trusted Linux, but it looks promising. They offer simpler to administer security, with a more clearly defined objective (greater design assurance) and more mature development models. (still greater assurance)

just my two bits :)

catch

d'oh forgot to add links:
http://argus-systems.com/product/overview/lx/
http://www.nsa.gov/selinux/
http://www.hpl.hp.com/research/papers/trustedlinux.html
May 12th, 2003, 10:35 PM
sweet_angel

Re: Additional Security Measures for *nix

Quote:

Originally posted here by thehorse13

Whenever I am asked to prepare a *nix server, I *always* issue these commands to check and see which files are SUID,GUID and world-writable.

* For SUID:
==============================

find / -type f -perm -4000 -ls

** For GUID
==============================
find / type f -perm -2000 -ls

Hi guys,

You wanna try my trick, you just type "one command" and you will have both SUID and GUID instead of typing "# find / -type -perm -4000 -ls and # find / -type f -perm -2000 -ls"

Code:

sweet# find / -type f -perm +6000 -ls

I hope you like my trick

Cheersss

annya
May 12th, 2003, 11:31 PM
gold eagle

thnx to Ichnisan and thehorse. Good tips.
May 15th, 2003, 05:46 AM
phishphreek

I'd just like to add a little advise that was given to me by thehorse13...

If you've ever used Bastille... learn it on a test box!!!

I have completely locked myself out of root and my normal user accounts can't do jack on the machine. I locked it down a little TOOOO much! LoL Good thing it was a test box... or I'd be extremely pissed right now... I put quite a bit of work into configuring my real server...

I actaully can't even reboot the sytem or do anything worthwhile... format and reload.

Anywho... TEST IT ON A TEST BOX and record what you do...
May 15th, 2003, 06:05 AM
PuReExcTacy

Great post, very informative

--PuRe
May 15th, 2003, 12:14 PM
instronics

I am surprised that this has not been posted before with so much destail. Excellent TheHorse.

About time too ;)

Cheers.